Splunk Search

How to sort a report to give me top 20 MAX values?

sraguan
Explorer

I have a report that showing me the top 20 of field called "sc_bytes" (By count),

> > source="xap.csv" | top limit=20 sc_bytes

So this is what I get:

sc_bytes cs_uri_stem Count percent
992 /messagebroker/amfpolling.wlforward 433769 16.32443
1245 /messagebroker/amfpolling.wlforward 72714 14.026691
276 /messagebroker/amfpolling.wlforward 217028 8.167615
927 /messagebroker/amfpolling.wlforward 119193 4.4857

but I want to see the top 20 of field called "sc_bytes" By the MAXIMUM value of the field itself and not by count.
So it will look like this:

sc_bytes cs_uri_stem Count percent
1245 /messagebroker/amfpolling.wlforward 72714 14.026691
992 /messagebroker/amfpolling.wlforward 433769 16.32443
927 /messagebroker/amfpolling.wlforward 119193 4.4857
276 /messagebroker/amfpolling.wlforward 217028 8.167615

Tags (3)
1 Solution

sraguan
Explorer

got it:

source="xap.csv"  | fields sc_bytes | sort -sc_bytes  | head 20| top limit=20 sc_bytes

View solution in original post

sraguan
Explorer

got it:

source="xap.csv"  | fields sc_bytes | sort -sc_bytes  | head 20| top limit=20 sc_bytes

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

It looks like your second example is just a re-sort of your first example. If that's all you need then add a sort to your search: source="xap.csv" | top limit=20 sc_bytes | sort -sc_bytes

---
If this reply helps you, an upvote would be appreciated.
0 Karma

sraguan
Explorer

Thanks @richgalloway ,
the sort really did sorted the top 20 but I have 2 million events in this search and he sorted the top 20 that had the highest count.
I want to sort the top 20 events that has the highest (MAX) sc_bytes.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

This perhaps?

.... | stats count max(sc_bytes) as max | top limit=20 max

0 Karma

sraguan
Explorer

@esix_splunk,
I tried what you suggested but stat max only give you 1 value which is the highest one,
it can't give you multiple values (20) like I want.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Yes, need to group this by something. Such as host, interface, etc..

0 Karma

sraguan
Explorer

I'm not sure i'm getting what you are saying (newbie in splunk),
is there a group command?
or even better - can you please write the search query that can give me the output that I want?

0 Karma